The Financial Conduct Authority (FCA) is taking every opportunity to warn payment and e-money institutions over “unacceptable” practices in safeguarding client funds, as well as around risk governance and financial management.
Payments Compliance recently reported that several senior officials at the UK regulator emphasised that reviews of the sector carried out since late 2017 — when a specialist payments division was established — have yielded troubling findings and that firms should expect enforcement action.
And fscom’s senior manager, Rachel Stevenson, reported back the same message from the 2019 Fintech festival in Edinburgh.
"While safeguarding has been the main focus of non-bank PSPs’ attention since the Dear CEO letter in July, we’re expecting that, as suggested at the Fintech festival, the publication of the findings from the multi-firm review at the end of 2018 covering capital adequacy within the payments sector is due in the near future."
"The current external environment also shines a light on the need for capital adequacy as a buffer for the unexpected or difficult situations and preparedness for an orderly wind down with three payment services institutions entering administration within a two-month period at the end of this summer: Supercapital Ltd, Ipagoo LLP and Glint Pay Services Ltd."
Why is the FCA so focused on safeguarding and capital adequacy?
Consumer protection, it is as simple as that. The FCA has an operational objective to protect consumers; safeguarding and capital adequacy are the most pragmatic way to ensure that the consumer’s money is protected. Safeguarding ensures the consumer’s money is available to be returned in the event the business goes bust and capital adequacy is both the ‘skin in the game’ (incentivising good behaviour) and may help prevent companies from ending up in the position of administration because it acts as a buffer or facilitates an orderly wind down. Of course, they are also linked because a business that is in financial difficulties may be tempted to dip into the funds it receives from its clients.
What do payment and e-money institutions have to do?
Assess your capital adequacy
Payment and e-money institutions should be well aware of their minimum and ongoing capital requirements but we find they can make two crucial mistakes.
One is that some don’t understand what can and cannot be used as capital, for example, erroneously counting preference shares as tier 1 capital. The rules were updated in PSD2 to incorporate the definition of qualifying capital in the Capital Requirements Directive IV (CRD IV).
The other is that PSPs don’t review frequently enough whether they have adequate capital. We often recommend that payment and e-money institutions should use a risk assessment process to establish whether they hold enough capital to protect against foreseeable future risks. In other words, they should undertake an ICAAP.
This recommendation is very definitely in the FCA’s direction of travel. The recently concluded consultation, ‘Our framework: Assessing Adequate Financial Resources’, specifically calls out PRIN 4 (financial prudence) as a requirement for all payment service and e-money institutions and describes an ICAAP, granted never using the actual terminology.
An ICAAP is new for our business, what is it?
In short, an ICAAP is a process a firm follows to assess the risks it’s facing currently and in the foreseeable future and calculate an amount of capital it should hold as a buffer against those risks.
The long version, an ICAAP stands for Internal Capital Adequacy Assessment Process. The requirement comes from the CRD IV, which in turn represents the European implementation of Basel III. The purpose of Basel III is to enhance the capital adequacy of banks and investment firms through a comprehensive set of reform measures aimed at strengthening the regulation, supervision and risk management of the banking and financial services sector.
The ICAAP enables firms to assess the level of capital that adequately supports all relevant current and future risks in their business, and to demonstrate they have appropriate processes in place to manage risk.
How do I perform an ICAAP?
The first step is to quantify the risks your business faces (in a process similar to that undertaken for the operational and security risk requirement, or REP018 as it is known in the UK).
The second step is to assess the quality of the capital you have to establish whether your capital resources are adequate. The rules set out the type of risk to be assessed (for example, market risk, liquidity risk, concentration risk, pension obligation risk etc.) and the expected minimum standards, processes and mitigation to be considered for each.
You should also:
- regularly assess the amounts, types and distribution of the financial and capital resources;
- identify the situations in which you may not be able to meet liabilities as they fall due;
- conduct stress and scenario testing; and
- ensure the processes, strategies and systems are comprehensive and proportionate to the nature of the firm’s activities.
The ICAAP should be completed at least annually and must be presented in a stand-alone document that also details the firm’s business model, strategy and business plans.
So, I just have to do this?
Payment and e-money institutions don’t have to do an ICAAP but they do have to meet their capital requirement and have robust risk management processes in place. We have seen clients gain a better understanding of their business and therefore gain commercial advantages through their effort in producing an ICAAP.
In reviewing operational and security risks (as part of REP018), PSPs have identified ways to improve processes and make resource efficiencies and cost savings. For example, a firm assessed that the initial outlay to automate the KYC re-verification process was justified by the reduction in the medium to long term risk as well as efficiency savings. Another PSP that reviewed its concentration risk of having only one dealer, compared service offerings across the market and was able to secure a second dealer at a lower cost as well as benefiting from being able to offer a better service to clients and reduce its risk exposure.
Stress testing finances has helped firms set out their strategic options in the event of certain economic and political developments. The obvious example, as stated before, is the impact of various Brexit scenarios on their EU-wide client base, on exchange and interest rates, and resulting trade volumes. This is not only providing a useful assessment of business resilience under those circumstances but is also sparking ideas that will evolve into business plans for different outcomes.
If you would like to discuss how you can better understand and manage your risk, contact me or one of my colleagues.